Local Policy for Desktop Support Group

Sean · Aug 3, 2005

I've been researching this scenario and so far have not been able to come up
with a way to do it.

I need to have a local account called DesktopSupport or something along
those lines that can install/update device drivers, use run-as to
uninstall/reinstall software that requires administrator rights (initially
deployed under admin context with SMS), etc.. however, I need to restrict
the account from being able to add members to local administrators group.

Is their a way to restrict a member of the local administrators group from
managing the local administrators group?

Colin Nash [MVP] · Aug 3, 2005

Sean said:
I've been researching this scenario and so far have not been able to come
up with a way to do it.

I need to have a local account called DesktopSupport or something along
those lines that can install/update device drivers, use run-as to
uninstall/reinstall software that requires administrator rights (initially
deployed under admin context with SMS), etc.. however, I need to restrict
the account from being able to add members to local administrators group.

Is their a way to restrict a member of the local administrators group from
managing the local administrators group?

Either make them "Power Users" - which probably won't work for all software
installations, or consider using Group Policy (if you have a domain) to
define the memberships of the Administrators group. See
http://support.microsoft.com/?kbid=279301

Group Policy	12	Jan 15, 2009
Local Group added to local Administrators group	2	Jan 30, 2006
Remote Desktop local policy error	1	Jul 25, 2006
can not add myself into the local admin group. But am the Domain A	1	Jul 16, 2008
Adding a group to local admin group	4	Sep 25, 2007
No users in Local Administrators Group	2	Jan 21, 2009
add domainuser account to local group	2	Jul 10, 2006
Group Policy	4	Feb 9, 2005

Local Policy for Desktop Support Group

Sean

Colin Nash [MVP]

Ask a Question

Similar Threads